I also removed [SOLVED] because this should be moved into Tips and Tricks, IMO.
---
title (previously): How to extract content from tshark-saved streams?
---

[[ The instructions are of course, only for people who, even if advanced, haven't delved into network traffic analysis ]]
Familiarize with how to follow streams

SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
https://forums.gentoo.org/viewtopic-t-1029408.html
(beginners should study there or better the links from there; it is about SSL decrypt, but tcp and ssl streams are saved in similar fashion)

You will need to open in Wireshark a file... (don't know if Wireshark-2 still has issues:

I try and make a command to do it, for the cat line. I'll add spaces only to it. And in the hexdump line I'll manually remove the offset, and make only one line of it. And then I'll set the two one beneath the other:

How do you deal with the tshark one now? If you open it with hexedit, hexedit thinks it is a text file, and you get all the wrong screen, nothing sensible in the ascii column! Do try!

The words little-endian and big-endian come to mind... Also the difference in size is like btwn UTF-16 and UTF-8... Wikipedia is, I'm afraid, in the order of the day.

More studying... But these two files must have the same content. They come from the same source, same content must be possible to extract from the tshark-saved one.

The thing is, the tshark is preferred for me. I could eventually automate things a bit with tshark. But how can I normally check with Wireshark what is going on when my machine connects somewhere if I have to manually save streams with Wireshark? When you go online with Firefox, you get tcp/ssl streams in the order of a hundred per minute!